one of my servers with multiple containers has been hacked, and suspicious traffic has been detected by the server provider (bare metal server at OVH).
I’m rather confident that the host is clean, but I’m not sure which container is faulty.
My containers have network access via an incus bridge.
How can I monitor network traffic by originating container ?
Also, what is the way to isolate a specific container, ie to suppress network access on a container ?
Each container has a veth device. You can tcpdump on that veth from the host.
You can remove networking altogether from a container. You create a copy of the default Incus profile, and in that copy you remove the eth0 device, the rest remains the same. Finally you attach that new profile to the container, replacing the default profile.